GLSA 200403-03 specifies certain packages of openssl to be vulnerable, and certain ones to be non-vulnerable. While running a non-vulnerable version glsa-check wants to emerge an older non-affected package Reproducible: Always Steps to Reproduce: 1.glsa-check -p 200403-03 2. 3. Actual Results: It listed the older package Expected Results: it should have reported not-affected Checking GLSA 200403-03 The following updates will be performed for this GLSA: dev-libs/openssl-0.9.6m (0.9.7d-r1) bartof@bartof:~$ emerge openssl -p These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-libs/openssl-0.9.7d-r1 Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- dev-libs/openssl <= 0.9.7c >= 0.9.7d dev-libs/openssl <= 0.9.7c == 0.9.6m It appears that glsa-check looked at the last portion, and ignored the first option for unaffected packages
Security: That GLSA seems to be broken.
GLSA syntax looks ok to me and it works when using latest glsa.py gentoolkit. Maybe (one more) bug 65664 dupe ? pioneer root # glsa-check -p 200403-03 WARNING: [...] Checking GLSA 200403-03 Nothing to do for this GLSA pioneer root # etcat versions dev-libs/openssl * dev-libs/openssl : [ ] 0.9.6m (0) [M~ ] 0.9.7c (0) [M ] 0.9.7c-r1 (0) [ ] 0.9.7d (0) [ I] 0.9.7d-r1 (0)
Reporter: is this still a problem with gentoolkit-0.2.0_pre10 ?
Seems to be working now, Marking as FIXED